This rating reflects an organization's ability to provide
technology services in a secure environment. It reflects not only
the condition of IT operations but also factors such as
reliability, security, and integrity, which may affect the quality
of the information delivery system. The factors include customer
support and training, and the ability to manage problems and
incidents, operations, system performance, capacity planning, and
facility and data management. Risk management practices should
promote effective, safe, and sound IT operations that ensure the
continuity of operations and the reliability and availability of
data. The scope of this component rating includes operational risks
throughout the organization and service providers.
The rating of IT support and delivery is based on a review and
assessment of requirements such as:

The ability to provide a level of service that meets the
requirements of the business;

The adequacy of security policies, procedures, and practices in
all units and at all levels of the financial institution and
service providers;

The adequacy of data controls over preparation, input,
processing, and output;

The adequacy of corporate contingency planning and business
resumption for data centers, networks, service providers and
business units;

The quality of processes or programs that monitor capacity and
performance;

The adequacy of controls and the ability to monitor controls at
service providers;

The quality of assistance provided to users, including the
ability to handle problems;

The adequacy of operating policies, procedures, and
manuals;

The quality of physical and logical security, including the
privacy of data;

The adequacy of firewall architectures and the security of
connections with public networks.

In addition to the above, factors such as the following are
included in the assessment of support and delivery at service
providers:

The adequacy of customer service provided to clients; and

The ability of the entity to provide and maintain service level
performance that meets the requirements of the client.

Ratings

A rating of 1 indicates strong IT support and
delivery performance. The organization provides technology services
that are reliable and consistent. Service levels adhere to
well-defined service-level agreements and routinely meet or exceed
business requirements. A comprehensive corporate contingency and
business resumption plan is in place. Annual contingency plan
testing and updating is performed; and, critical systems and
applications are recovered within acceptable time frames. A formal
written data security policy and awareness program is communicated
and enforced throughout the organization. The logical and physical
security for all IT platforms is closely monitored, and security
incidents and weaknesses are identified and quickly corrected.
Relationships with third-party service providers are closely
monitored. IT operations are highly reliable, and risk exposure is
successfully identified and controlled.

A rating of 2 indicates satisfactory IT
support and delivery performance. The organization provides
technology services that are generally reliable and consistent;
however, minor discrepancies in service levels may occur. Service
performance adheres to service agreements and meets business
requirements. A corporate contingency and business resumption plan
is in place, but minor enhancements may be necessary. Annual plan
testing and updating is performed and minor problems may occur when
recovering systems or applications. A written data security policy
is in place but may require improvement to ensure its adequacy. The
policy is generally enforced and communicated throughout the
organization, e.g., through a security awareness program. The
logical and physical security for critical IT platforms is
satisfactory. Systems are monitored, and security incidents and
weaknesses are identified and resolved within reasonable time
frames. Relationships with third-party service providers are
monitored. Critical IT operations are reliable and risk exposure is
reasonably identified and controlled.

A rating of 3 indicates that the performance
of IT support and delivery is less than satisfactory and needs
improvement. The organization provides technology services that may
not be reliable or consistent. As a result, service levels
periodically do not adhere to service-level agreements or meet
business requirements. A corporate contingency and business
resumption plan is in place but may not be considered
comprehensive. The plan is periodically tested; however, the
recovery of critical systems and applications is frequently
unsuccessful. A data security policy exists; however, it may not be
strictly enforced or communicated throughout the organization. The
logical and physical security for critical IT platforms is less
that satisfactory. Systems are monitored; however, security
incidents and weaknesses may not be resolved in a timely manner.
Relationships with third-party service providers may not be
adequately monitored. IT operations are not acceptable and
unwarranted risk exposures exist. If not corrected, weaknesses
could cause performance degradation or disruption to
operations.

A rating of 4 indicates deficient IT support
and delivery performance. The organization provides technology
services that are unreliable and inconsistent. Service-level
agreements are poorly defined and service performance usually fails
to meet business requirements. A corporate contingency and business
resumption plan may exist, but its content is critically deficient.
If contingency testing is performed, management is typically unable
to recover critical systems and applications. A data security
policy may not exist. As a result, serious supervisory concerns
over security and the integrity of data exist. The logical and
physical security for critical IT platforms is deficient. Systems
may be monitored, but security incidents and weaknesses are not
successfully identified or resolved. Relationships with third-party
service providers are not monitored. IT operations are not reliable
and significant risk exposure exists. Degradation in performance is
evident and frequent disruption in operations has occurred.

A rating of 5 indicates critically deficient
IT support and delivery performance. The organization provides
technology services that are not reliable or consistent.
Service-level agreements do not exist and service performance does
not meet business requirements. A corporate contingency and
business resumption plan does not exist. Contingency testing is not
performed and management has not demonstrated the ability to
recover critical systems and applications. A data security policy
does not exist, and a serious threat to the organization's security
and data integrity exists. The logical and physical security for
critical IT platforms is inadequate, and management does not
monitor systems for security incidents and weaknesses.
Relationships with third-party service providers are not monitored,
and the viability of a service provider may be in jeopardy. IT
operations are severely deficient, and the seriousness of
weaknesses could cause failure of the financial institution or
service provider if not addressed.